specification of snow 3g in cryptol

Specification of SNOW 3G in Cryptol

Pedro Pereira Ulisses Costa

Formal Methods in Software Engineering

March 26, 2009

Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol

Index

1 Cryptol

2 Stream Ciphers

3 Conclusion


Overview

High-level language to deal with low-level problems

Everything is a sequence

Sequences can be either finite or infinite

Primitive polymorphic functions

Information Structure can be changed easily

Recursion and sequence comprehensions ⇒ recurrencerelations


Types

Cryptol

tail : {a b} [a+1]b -> [a]b;

Types are size and bitoriented

Sequences have infinite size(inf)

[a]b - Polymorphism over b

Haskell

tail :: [b] -> [b]

Lists have infinite length

[b] - Polymorphism over b

Very similar notation

Polymorphism

Type inference


Types

Types in Cryptol are size oriented

Cryptol

drop : {a b c} (fin a,a >= 0) => (a,[a+b]c) -> [b]c

take : {a b c} (fin a,b >= 0) => (a,[a+b]c) -> [a]c

join : {a b c} [a][b]c -> [a*b]c

split : {a b c} [a*b]c -> [a][b]c

tail : {a b} [a+1]b -> [a]b

Haskell

drop :: Int -> [a] -> [a]

take :: Int -> [a] -> [a]

concat :: [[a]] -> [a] -- join in cryptol

tail :: [a] -> [a]


Language

Cryptol

fib(n) = fibs @ n

where {

fibs = [0 1] # [| x + y || x <- drop (1,fibs) || y <- fibs |];

};

Haskell

fib n = fibs !! n

where fibs = [0,1] ++ [ x + y | x <- drop 1 fibs | y <- fibs ]

0ghc -XParallelListCompPedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol

Language

Specification

MULα(c) = (MULxPOW (c, 23, 0xA9)||MULxPOW (c, 245, 0xA9)||MULxPOW (c, 48, 0xA9)||MULxPOW (c, 239, 0xA9))

Cryptol

MULa : [8] -> [32];

MULa(c) = join ( reverse [

( MULxPOW(c, 23 :[32] , 0xA9) )

( MULxPOW(c, 245:[32] , 0xA9) )

( MULxPOW(c, 48 :[32] , 0xA9) )

( MULxPOW(c, 239:[32] , 0xA9) ) ] );

C

/* The function MUL alpha.

* Input c: 8-bit input.

* Output : 32-bit output.

* See section 3.4.2 for details.

*/

u32 MULalpha(u8 c) {

return

(((( u32)MULxPOW(c,23, 0xa9)) << 24 ) |

((( u32)MULxPOW(c, 245,0xa9)) << 16 ) |

((( u32)MULxPOW(c, 48,0xa9)) << 8 ) |

((( u32)MULxPOW(c, 239,0xa9)))) ;

}

0’reverse’ is used because Cryptol stores words in little-endian.Pedro Pereira, Ulisses Costa Specification of SNOW 3G in Cryptol

Index

1 Cryptol

2 Stream Ciphers

3 Conclusion


Stream Ciphers

Characteristics

Symmetric key ciphers ⇒ same key for encryption/decryption

Typically very fast (faster than Block ciphers)

Low hardware complexity

Low memory requirements

Encryption: plaintext ⊕ keystream

Decryption: ciphertext ⊕ keystream

Tries to capture the “essence” of the theoretically unbreakableOne-Time Pad


Stream Ciphers

One-Time Pad

Uses a truly random keystream

Impossible to determine any kind of relation betweenciphertext and plaintext

Best attack: guessing the plaintext ⇒ Impossible to break

Ok but in reality...

The best we can do is generate a pseudo-random keystream⇒ Statistical randomness (susceptible to attacks)

But it’s possible to make it very HARD to break

We cannot aim for theoretical security but practical security isgood enough


Linear Feedback Shift Register (LFSR)

Generates a sequence of bits with near random properties

But it’s mathematical structure gives too much away ⇒possible to compute it’s polynomial representation

S-boxes make it possible to hide its (low) linear complexity ⇒practical security!


A simple LFSR in Cryptol

lfsr : [inf]Bit;

lfsr = [ False True False False True False True True ] #

[| (x3 ^ x5 ^ x7)

|| x3 <- drop(3, lfsr)

|| x5 <- drop(5, lfsr)

|| x7 <- drop(7, lfsr) |];


Substitution boxes (S-boxes)

Lookup table of portions of bits

Reduces relation between plaintext and ciphertext (Shannon’sconfusion property)

Increases resistance to different Cryptanalysis techniques


S-boxes in Cryptol


SNOW 3G

Invented at Lund University (Sweden)

Chosen as the cipher of 3GPP encryption algorithms UEA2and UIA2

Uses a 128/256 bit key

Combination of a LFSR with a Finite State Machine (S-boxes)

Best (known) attack is exaustive keyspace brute force (2128)⇒ Completely safe by today’s standards


SNOW 3G Structure


SNOW 3G Spec I - MULx

SNOW 3G Specification

MULx maps 16 bits to 8 bits.If the leftmost (i.e. the most significant) bit of V equals 1, thenMULx(V, c) = (V �8 1) ⊕ c else MULx(V, c) = V �8 1

MULx : ([8], [8]) -> [8];

MULx(v, c) = if (v ! 0) == True then (v << 1) ^ c

else (v << 1);


SNOW 3G Spec II - Initialization


Index

1 Cryptol

2 Stream Ciphers

3 Conclusion


Conclusion

With Cryptol is much easier to specify low-level algorithms

The specification is formal and easier to read


Questions

?


specification of snow 3g in cryptol

Technology